The sheer volume of data, manual recovery processes, skills and application knowledge gaps, and silos of responsibility are among the operational resilience challenges Gartner identified in a 2022 report.
“Applications and APIs are expanding to make more business functionality accessible,” according to the Gartner 2022 Planning Guide for Security and Risk Management. “Along with these trends, security and risk management professionals are facing an increasing number of hazards from a growing and varying threat environment.”
With these trends come additional risk. The European Union seeks to strengthen the IT security of financial entities with the Digital Operational Resiliency (DORA) legislation. The legislation affects not only banks, insurance companies and financial markets in the EU, but also organizations that conduct business with these financial entities.
It’s easy to understand why DORA has been enacted. The basic requirement of DORA is that businesses will ultimately be able to demonstrate to auditors that their technology infrastructure provides the capabilities to recover from any issue: be it a cyberattack, a data breach or a simple accident where critical information is inadvertently deleted by a fat-fingering user.
Further, DORA takes an all-inclusive view. A business is responsible for its IT environment as a whole, and not simply the machines it operates on the raised floor. Your IT staff may consist of admins and storage architects. You may have workloads running both on-premise and in cloud environments offsite. To DORA, it’s all the same, and your business is responsible for every bit of it. Whatever might happen, you must be able to prove that you have all the pieces in place to swiftly recover.
Operational Resilience and DORA’s Requirements
Though there are many definitions of Operational Resilience, I believe Gartner’s Information Technology Glossary sums it up. “Operational resilience is defined as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners).”
Ireland’s International Financial Services Centre (IFSC), outlines the key DORA dates and milestones. Entities that violate act’s requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000, according to IFSC.
Though DORA is focused on the financial industry, its impact will be felt throughout the business world. While other nations and certain industries are adopting similar measures, DORA, which will be phased in over the next 18-24 months, may be the most significant development to date in the area of cybersecurity and data resiliency.
Building Resiliency and Cybersecurity Into Your IT Framework
It’s an obvious but also an important point: Getting current on mainframe hardware and software is a critical first step toward achieving cybersecurity and data resiliency. If you’re three generations back on hardware or you’re running five back levels of z/OS, your organization simply won’t be as secure as it could be. z/OS V2.5, released in 2021, boasts an array of security and data privacy capabilities. And of course the IBM z16 debuted in 2022. Tools are another critical consideration. For instance, the IBM Z Batch Resiliency management solution (IZBR) goes beyond batch. IZBR is an automated tool that provides the capabilities to manage applications and non-database managed data such as VSAM, sequential, batch, etc. And for those who have an air-gapped copy, it provides an inventory of ALL data sets, from Db2 to IMS and PDS and on down the line, and can surgically recover those data sets as needed. IZBR fits within the DORA framework. It identifies, protects and prevents, provides detection, and assists in response and recovery.
DORA Changes the Data Resiliency Game: Stay Ahead of It
In certain respects, I believe DORA is telling us to go back to the old standards. Very few organizations do true testing at all anymore. Today, we test the hardware and fail it over. We test specific applications.
But DORA raises a question: Have you sufficiently built into your operational frameworks the resiliency that they need? That’s important because we don’t know our data the way we once did. Knowing your data doesn’t happen by simply making copies of it. We need to get back to doing good old-fashioned data recovery, where we actually understand our data, how it’s used and where it’s backed up. To be truly operationally resilient, we must make sure the right data backed up for the right amount of time, with the ability to recover quickly and effectively, no matter what the event is.
Much will change with DORA. It will change business—and it will assuredly erase the silos between applications, operations and storage. DORA leaves no choice other than for these groups to work together to address the problem and create the solution.
We no longer can rely on manual efforts or how we have always done it. We are modernizing applications and we are proving that the mainframe platform is a platform of the future. IZBR can help your organization improve resiliency to meet the requirements outlined in DORA. To learn more about IZBR, contact us.